Hello!
I tested the spectre mitigation of different machines and kernels with
https://github.com/crozone/SpectrePoC
You can see the results below.
My question: Did I miss something?
My expectation was, that on base of the output of
/sys/devices/system/cpu/vulnerabilities/spectre_v* as shown below the problem should be gone away.
But the results seem to tell me something other ... .
Thanks
Andreas
----------------------------------------------------------------------------------------------------------------------
CPU: AMD Ryzen 7 1700X Eight-Core Processor
Bios: BIOS 4011 04/19/2018 - ibpb is listed in /proc/cpuinfo
Kernel: 4.14.44-1.1-default
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full AMD retpoline, IBPB
cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
./spectre.out
Using a cache hit threshold of 80.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfec18... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfec19... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfec1a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfec1b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfec1c... Success: 0x4D=’M’ score=2
Reading at malicious_x = 0xffffffffffdfec1d... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfec1e... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfec1f... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfec20... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfec21... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfec22... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffffffffffdfec23... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfec24... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfec25... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xffffffffffdfec26... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec27... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfec28... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfec29... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfec2a... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfec2b... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfec2c... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffffffffffdfec2d... Success: 0x71=’q’ score=2
Reading at malicious_x = 0xffffffffffdfec2e... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffffffffffdfec2f... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfec30... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfec31... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffffffffffdfec32... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfec33... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec34... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfec35... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfec36... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffffffffffdfec37... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec38... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec39... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfec3a... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffffffffffdfec3b... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfec3c... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfec3d... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfec3e... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfec3f... Success: 0x2E=’.’ score=2
----------------------------------------------------------------------------------------------------------------------
CPU: AMD G-T40E Processor
Kernel: 4.14.44-1.el6.x86_64
cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full AMD retpoline
./spectre.out 130
Using a cache hit threshold of 130.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfebf0... Unclear: 0x54=’T’ score=999 (second best: 0x00=’?’ score=992)
Reading at malicious_x = 0xffffffffffdfebf1... Unclear: 0x68=’h’ score=996 (second best: 0x00=’?’ score=988)
Reading at malicious_x = 0xffffffffffdfebf2... Unclear: 0x65=’e’ score=999 (second best: 0x00=’?’ score=985)
Reading at malicious_x = 0xffffffffffdfebf3... Unclear: 0x20=’ ’ score=997 (second best: 0x00=’?’ score=989)
Reading at malicious_x = 0xffffffffffdfebf4... Unclear: 0x4D=’M’ score=999 (second best: 0x00=’?’ score=993)
Reading at malicious_x = 0xffffffffffdfebf5... Unclear: 0x61=’a’ score=998 (second best: 0x00=’?’ score=991)
Reading at malicious_x = 0xffffffffffdfebf6... Unclear: 0x67=’g’ score=996 (second best: 0x00=’?’ score=988)
Reading at malicious_x = 0xffffffffffdfebf7... Unclear: 0x69=’i’ score=998 (second best: 0x00=’?’ score=987)
Reading at malicious_x = 0xffffffffffdfebf8... Unclear: 0x63=’c’ score=999 (second best: 0x00=’?’ score=989)
Reading at malicious_x = 0xffffffffffdfebf9... Unclear: 0x20=’ ’ score=999 (second best: 0x00=’?’ score=989)
Reading at malicious_x = 0xffffffffffdfebfa... Unclear: 0x57=’W’ score=998 (second best: 0x5B=’[’ score=985)
Reading at malicious_x = 0xffffffffffdfebfb... Unclear: 0x6F=’o’ score=998 (second best: 0x00=’?’ score=988)
Reading at malicious_x = 0xffffffffffdfebfc... Unclear: 0x00=’?’ score=985 (second best: 0xF7=’?’ score=942)
Reading at malicious_x = 0xffffffffffdfebfd... Unclear: 0x64=’d’ score=999 (second best: 0x00=’?’ score=990)
Reading at malicious_x = 0xffffffffffdfebfe... Unclear: 0x73=’s’ score=998 (second best: 0x00=’?’ score=984)
Reading at malicious_x = 0xffffffffffdfebff... Unclear: 0x20=’ ’ score=998 (second best: 0x00=’?’ score=985)
Reading at malicious_x = 0xffffffffffdfec00... Unclear: 0x61=’a’ score=999 (second best: 0x00=’?’ score=984)
Reading at malicious_x = 0xffffffffffdfec01... Unclear: 0x72=’r’ score=999 (second best: 0x00=’?’ score=986)
Reading at malicious_x = 0xffffffffffdfec02... Unclear: 0x65=’e’ score=998 (second best: 0x00=’?’ score=980)
Reading at malicious_x = 0xffffffffffdfec03... Unclear: 0x20=’ ’ score=998 (second best: 0x00=’?’ score=992)
Reading at malicious_x = 0xffffffffffdfec04... Unclear: 0x53=’S’ score=997 (second best: 0x50=’P’ score=990)
Reading at malicious_x = 0xffffffffffdfec05... Unclear: 0x71=’q’ score=998 (second best: 0x00=’?’ score=984)
Reading at malicious_x = 0xffffffffffdfec06... Unclear: 0x75=’u’ score=999 (second best: 0x72=’r’ score=976)
Reading at malicious_x = 0xffffffffffdfec07... Unclear: 0x65=’e’ score=999 (second best: 0x00=’?’ score=988)
Reading at malicious_x = 0xffffffffffdfec08... Unclear: 0x61=’a’ score=999 (second best: 0x00=’?’ score=986)
Reading at malicious_x = 0xffffffffffdfec09... Unclear: 0x6D=’m’ score=999 (second best: 0x00=’?’ score=987)
Reading at malicious_x = 0xffffffffffdfec0a... Unclear: 0x69=’i’ score=998 (second best: 0x00=’?’ score=987)
Reading at malicious_x = 0xffffffffffdfec0b... Unclear: 0x73=’s’ score=984 (second best: 0x00=’?’ score=974)
Reading at malicious_x = 0xffffffffffdfec0c... Unclear: 0x00=’?’ score=991 (second best: 0xB4=’?’ score=933)
Reading at malicious_x = 0xffffffffffdfec0d... Unclear: 0x20=’ ’ score=999 (second best: 0x00=’?’ score=986)
Reading at malicious_x = 0xffffffffffdfec0e... Unclear: 0x4F=’O’ score=998 (second best: 0x50=’P’ score=991)
Reading at malicious_x = 0xffffffffffdfec0f... Unclear: 0x73=’s’ score=999 (second best: 0x00=’?’ score=987)
Reading at malicious_x = 0xffffffffffdfec10... Unclear: 0x73=’s’ score=998 (second best: 0x00=’?’ score=971)
Reading at malicious_x = 0xffffffffffdfec11... Unclear: 0x69=’i’ score=999 (second best: 0x00=’?’ score=980)
Reading at malicious_x = 0xffffffffffdfec12... Unclear: 0x66=’f’ score=998 (second best: 0x00=’?’ score=978)
Reading at malicious_x = 0xffffffffffdfec13... Unclear: 0x72=’r’ score=995 (second best: 0x00=’?’ score=981)
Reading at malicious_x = 0xffffffffffdfec14... Unclear: 0x61=’a’ score=996 (second best: 0x00=’?’ score=971)
Reading at malicious_x = 0xffffffffffdfec15... Unclear: 0x67=’g’ score=999 (second best: 0x00=’?’ score=975)
Reading at malicious_x = 0xffffffffffdfec16... Unclear: 0x65=’e’ score=999 (second best: 0x00=’?’ score=984)
Reading at malicious_x = 0xffffffffffdfec17... Unclear: 0x2E=’.’ score=999 (second best: 0x00=’?’ score=987)
---------------------------------------------------------------------------------------------------------------------
CPU: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz
Kernel: 4.16.5-13.1-default
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline
cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
./spectre.out
Using a cache hit threshold of 80.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfebe8... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffffffffffdfebe9... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfebea... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfebeb... Success: 0x20=’ ’ score=7 (second best: 0x21=’!’ score=1)
Reading at malicious_x = 0xffffffffffdfebec... Success: 0x4D=’M’ score=2
Reading at malicious_x = 0xffffffffffdfebed... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfebee... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffffffffffdfebef... Success: 0x69=’i’ score=7 (second best: 0xB2=’?’ score=1)
Reading at malicious_x = 0xffffffffffdfebf0... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffffffffffdfebf1... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfebf2... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffffffffffdfebf3... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffffffffffdfebf4... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfebf5... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xffffffffffdfebf6... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfebf7... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfebf8... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfebf9... Success: 0x72=’r’ score=7 (second best: 0x22=’"’ score=1)
Reading at malicious_x = 0xffffffffffdfebfa... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfebfb... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfebfc... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffffffffffdfebfd... Success: 0x71=’q’ score=2
Reading at malicious_x = 0xffffffffffdfebfe... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffffffffffdfebff... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfec00... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfec01... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffffffffffdfec02... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfec03... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec04... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffffffffffdfec05... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffffffffffdfec06... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffffffffffdfec07... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec08... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffffffffffdfec09... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffffffffffdfec0a... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffffffffffdfec0b... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffffffffffdfec0c... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffffffffffdfec0d... Success: 0x67=’g’ score=7 (second best: 0x42=’B’ score=1)
Reading at malicious_x = 0xffffffffffdfec0e... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffffffffffdfec0f... Success: 0x2E=’.’ score=2
Hello!
Sorry for a ping - but I think the behavior shown below should really be
investigated!
Thanks,
Andreas
On 06/01/2018 at 02:19 PM Andreas Hartmann wrote:
> Hello!
>
> I tested the spectre mitigation of different machines and kernels with
> https://github.com/crozone/SpectrePoC
>
> You can see the results below.
>
>
> My question: Did I miss something?
> My expectation was, that on base of the output of
> /sys/devices/system/cpu/vulnerabilities/spectre_v* as shown below the
> problem should be gone away.
> But the results seem to tell me something other ... .
>
>
> Thanks
> Andreas
>
>
>
>
> ----------------------------------------------------------------------------------------------------------------------
>
> CPU: AMD Ryzen 7 1700X Eight-Core Processor
> Bios: BIOS 4011 04/19/2018 - ibpb is listed in /proc/cpuinfo
> Kernel: 4.14.44-1.1-default
> cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> Mitigation: Full AMD retpoline, IBPB
> cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> Mitigation: __user pointer sanitization
>
> ./spectre.out
> Using a cache hit threshold of 80.
> Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED
> INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> Reading 40 bytes:
> Reading at malicious_x = 0xffffffffffdfec18... Success: 0x54=’T’ score=2
> Reading at malicious_x = 0xffffffffffdfec19... Success: 0x68=’h’ score=2
> Reading at malicious_x = 0xffffffffffdfec1a... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfec1b... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfec1c... Success: 0x4D=’M’ score=2
> Reading at malicious_x = 0xffffffffffdfec1d... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfec1e... Success: 0x67=’g’ score=2
> Reading at malicious_x = 0xffffffffffdfec1f... Success: 0x69=’i’ score=2
> Reading at malicious_x = 0xffffffffffdfec20... Success: 0x63=’c’ score=2
> Reading at malicious_x = 0xffffffffffdfec21... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfec22... Success: 0x57=’W’ score=2
> Reading at malicious_x = 0xffffffffffdfec23... Success: 0x6F=’o’ score=2
> Reading at malicious_x = 0xffffffffffdfec24... Success: 0x72=’r’ score=2
> Reading at malicious_x = 0xffffffffffdfec25... Success: 0x64=’d’ score=2
> Reading at malicious_x = 0xffffffffffdfec26... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec27... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfec28... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfec29... Success: 0x72=’r’ score=2
> Reading at malicious_x = 0xffffffffffdfec2a... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfec2b... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfec2c... Success: 0x53=’S’ score=2
> Reading at malicious_x = 0xffffffffffdfec2d... Success: 0x71=’q’ score=2
> Reading at malicious_x = 0xffffffffffdfec2e... Success: 0x75=’u’ score=2
> Reading at malicious_x = 0xffffffffffdfec2f... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfec30... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfec31... Success: 0x6D=’m’ score=2
> Reading at malicious_x = 0xffffffffffdfec32... Success: 0x69=’i’ score=2
> Reading at malicious_x = 0xffffffffffdfec33... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec34... Success: 0x68=’h’ score=2
> Reading at malicious_x = 0xffffffffffdfec35... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfec36... Success: 0x4F=’O’ score=2
> Reading at malicious_x = 0xffffffffffdfec37... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec38... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec39... Success: 0x69=’i’ score=2
> Reading at malicious_x = 0xffffffffffdfec3a... Success: 0x66=’f’ score=2
> Reading at malicious_x = 0xffffffffffdfec3b... Success: 0x72=’r’ score=2
> Reading at malicious_x = 0xffffffffffdfec3c... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfec3d... Success: 0x67=’g’ score=2
> Reading at malicious_x = 0xffffffffffdfec3e... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfec3f... Success: 0x2E=’.’ score=2
>
>
> ----------------------------------------------------------------------------------------------------------------------
>
> CPU: AMD G-T40E Processor
> Kernel: 4.14.44-1.el6.x86_64
> cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> Mitigation: __user pointer sanitization
> cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> Mitigation: Full AMD retpoline
>
> ./spectre.out 130
> Using a cache hit threshold of 130.
> Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED
> INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> Reading 40 bytes:
> Reading at malicious_x = 0xffffffffffdfebf0... Unclear: 0x54=’T’
> score=999 (second best: 0x00=’?’ score=992)
> Reading at malicious_x = 0xffffffffffdfebf1... Unclear: 0x68=’h’
> score=996 (second best: 0x00=’?’ score=988)
> Reading at malicious_x = 0xffffffffffdfebf2... Unclear: 0x65=’e’
> score=999 (second best: 0x00=’?’ score=985)
> Reading at malicious_x = 0xffffffffffdfebf3... Unclear: 0x20=’ ’
> score=997 (second best: 0x00=’?’ score=989)
> Reading at malicious_x = 0xffffffffffdfebf4... Unclear: 0x4D=’M’
> score=999 (second best: 0x00=’?’ score=993)
> Reading at malicious_x = 0xffffffffffdfebf5... Unclear: 0x61=’a’
> score=998 (second best: 0x00=’?’ score=991)
> Reading at malicious_x = 0xffffffffffdfebf6... Unclear: 0x67=’g’
> score=996 (second best: 0x00=’?’ score=988)
> Reading at malicious_x = 0xffffffffffdfebf7... Unclear: 0x69=’i’
> score=998 (second best: 0x00=’?’ score=987)
> Reading at malicious_x = 0xffffffffffdfebf8... Unclear: 0x63=’c’
> score=999 (second best: 0x00=’?’ score=989)
> Reading at malicious_x = 0xffffffffffdfebf9... Unclear: 0x20=’ ’
> score=999 (second best: 0x00=’?’ score=989)
> Reading at malicious_x = 0xffffffffffdfebfa... Unclear: 0x57=’W’
> score=998 (second best: 0x5B=’[’ score=985)
> Reading at malicious_x = 0xffffffffffdfebfb... Unclear: 0x6F=’o’
> score=998 (second best: 0x00=’?’ score=988)
> Reading at malicious_x = 0xffffffffffdfebfc... Unclear: 0x00=’?’
> score=985 (second best: 0xF7=’?’ score=942)
> Reading at malicious_x = 0xffffffffffdfebfd... Unclear: 0x64=’d’
> score=999 (second best: 0x00=’?’ score=990)
> Reading at malicious_x = 0xffffffffffdfebfe... Unclear: 0x73=’s’
> score=998 (second best: 0x00=’?’ score=984)
> Reading at malicious_x = 0xffffffffffdfebff... Unclear: 0x20=’ ’
> score=998 (second best: 0x00=’?’ score=985)
> Reading at malicious_x = 0xffffffffffdfec00... Unclear: 0x61=’a’
> score=999 (second best: 0x00=’?’ score=984)
> Reading at malicious_x = 0xffffffffffdfec01... Unclear: 0x72=’r’
> score=999 (second best: 0x00=’?’ score=986)
> Reading at malicious_x = 0xffffffffffdfec02... Unclear: 0x65=’e’
> score=998 (second best: 0x00=’?’ score=980)
> Reading at malicious_x = 0xffffffffffdfec03... Unclear: 0x20=’ ’
> score=998 (second best: 0x00=’?’ score=992)
> Reading at malicious_x = 0xffffffffffdfec04... Unclear: 0x53=’S’
> score=997 (second best: 0x50=’P’ score=990)
> Reading at malicious_x = 0xffffffffffdfec05... Unclear: 0x71=’q’
> score=998 (second best: 0x00=’?’ score=984)
> Reading at malicious_x = 0xffffffffffdfec06... Unclear: 0x75=’u’
> score=999 (second best: 0x72=’r’ score=976)
> Reading at malicious_x = 0xffffffffffdfec07... Unclear: 0x65=’e’
> score=999 (second best: 0x00=’?’ score=988)
> Reading at malicious_x = 0xffffffffffdfec08... Unclear: 0x61=’a’
> score=999 (second best: 0x00=’?’ score=986)
> Reading at malicious_x = 0xffffffffffdfec09... Unclear: 0x6D=’m’
> score=999 (second best: 0x00=’?’ score=987)
> Reading at malicious_x = 0xffffffffffdfec0a... Unclear: 0x69=’i’
> score=998 (second best: 0x00=’?’ score=987)
> Reading at malicious_x = 0xffffffffffdfec0b... Unclear: 0x73=’s’
> score=984 (second best: 0x00=’?’ score=974)
> Reading at malicious_x = 0xffffffffffdfec0c... Unclear: 0x00=’?’
> score=991 (second best: 0xB4=’?’ score=933)
> Reading at malicious_x = 0xffffffffffdfec0d... Unclear: 0x20=’ ’
> score=999 (second best: 0x00=’?’ score=986)
> Reading at malicious_x = 0xffffffffffdfec0e... Unclear: 0x4F=’O’
> score=998 (second best: 0x50=’P’ score=991)
> Reading at malicious_x = 0xffffffffffdfec0f... Unclear: 0x73=’s’
> score=999 (second best: 0x00=’?’ score=987)
> Reading at malicious_x = 0xffffffffffdfec10... Unclear: 0x73=’s’
> score=998 (second best: 0x00=’?’ score=971)
> Reading at malicious_x = 0xffffffffffdfec11... Unclear: 0x69=’i’
> score=999 (second best: 0x00=’?’ score=980)
> Reading at malicious_x = 0xffffffffffdfec12... Unclear: 0x66=’f’
> score=998 (second best: 0x00=’?’ score=978)
> Reading at malicious_x = 0xffffffffffdfec13... Unclear: 0x72=’r’
> score=995 (second best: 0x00=’?’ score=981)
> Reading at malicious_x = 0xffffffffffdfec14... Unclear: 0x61=’a’
> score=996 (second best: 0x00=’?’ score=971)
> Reading at malicious_x = 0xffffffffffdfec15... Unclear: 0x67=’g’
> score=999 (second best: 0x00=’?’ score=975)
> Reading at malicious_x = 0xffffffffffdfec16... Unclear: 0x65=’e’
> score=999 (second best: 0x00=’?’ score=984)
> Reading at malicious_x = 0xffffffffffdfec17... Unclear: 0x2E=’.’
> score=999 (second best: 0x00=’?’ score=987)
>
>
>
> ---------------------------------------------------------------------------------------------------------------------
>
> CPU: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz
> Kernel: 4.16.5-13.1-default
> cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> Mitigation: Full generic retpoline
> cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> Mitigation: __user pointer sanitization
>
> ./spectre.out
> Using a cache hit threshold of 80.
> Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED
> INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> Reading 40 bytes:
> Reading at malicious_x = 0xffffffffffdfebe8... Success: 0x54=’T’ score=2
> Reading at malicious_x = 0xffffffffffdfebe9... Success: 0x68=’h’ score=2
> Reading at malicious_x = 0xffffffffffdfebea... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfebeb... Success: 0x20=’ ’ score=7
> (second best: 0x21=’!’ score=1)
> Reading at malicious_x = 0xffffffffffdfebec... Success: 0x4D=’M’ score=2
> Reading at malicious_x = 0xffffffffffdfebed... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfebee... Success: 0x67=’g’ score=2
> Reading at malicious_x = 0xffffffffffdfebef... Success: 0x69=’i’ score=7
> (second best: 0xB2=’?’ score=1)
> Reading at malicious_x = 0xffffffffffdfebf0... Success: 0x63=’c’ score=2
> Reading at malicious_x = 0xffffffffffdfebf1... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfebf2... Success: 0x57=’W’ score=2
> Reading at malicious_x = 0xffffffffffdfebf3... Success: 0x6F=’o’ score=2
> Reading at malicious_x = 0xffffffffffdfebf4... Success: 0x72=’r’ score=2
> Reading at malicious_x = 0xffffffffffdfebf5... Success: 0x64=’d’ score=2
> Reading at malicious_x = 0xffffffffffdfebf6... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfebf7... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfebf8... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfebf9... Success: 0x72=’r’ score=7
> (second best: 0x22=’"’ score=1)
> Reading at malicious_x = 0xffffffffffdfebfa... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfebfb... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfebfc... Success: 0x53=’S’ score=2
> Reading at malicious_x = 0xffffffffffdfebfd... Success: 0x71=’q’ score=2
> Reading at malicious_x = 0xffffffffffdfebfe... Success: 0x75=’u’ score=2
> Reading at malicious_x = 0xffffffffffdfebff... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfec00... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfec01... Success: 0x6D=’m’ score=2
> Reading at malicious_x = 0xffffffffffdfec02... Success: 0x69=’i’ score=2
> Reading at malicious_x = 0xffffffffffdfec03... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec04... Success: 0x68=’h’ score=2
> Reading at malicious_x = 0xffffffffffdfec05... Success: 0x20=’ ’ score=2
> Reading at malicious_x = 0xffffffffffdfec06... Success: 0x4F=’O’ score=2
> Reading at malicious_x = 0xffffffffffdfec07... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec08... Success: 0x73=’s’ score=2
> Reading at malicious_x = 0xffffffffffdfec09... Success: 0x69=’i’ score=2
> Reading at malicious_x = 0xffffffffffdfec0a... Success: 0x66=’f’ score=2
> Reading at malicious_x = 0xffffffffffdfec0b... Success: 0x72=’r’ score=2
> Reading at malicious_x = 0xffffffffffdfec0c... Success: 0x61=’a’ score=2
> Reading at malicious_x = 0xffffffffffdfec0d... Success: 0x67=’g’ score=7
> (second best: 0x42=’B’ score=1)
> Reading at malicious_x = 0xffffffffffdfec0e... Success: 0x65=’e’ score=2
> Reading at malicious_x = 0xffffffffffdfec0f... Success: 0x2E=’.’ score=2
>
>
On Fri, Jun 01, 2018 at 02:19:38PM +0200, Andreas Hartmann wrote:
> I tested the spectre mitigation of different machines and kernels with
> https://github.com/crozone/SpectrePoC
>
> You can see the results below.
> My question: Did I miss something?
Yes.
> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
^^^^^^^^ ^^^^^^^^
The POC is a v1 on itself. V1 needs to be fixed for every individual
executable (worse, for every individual location in the code, and we're
still finding them). The kernel mitigation status for v1 only indicates
the kernel itself has mitigations (for some locations).
The POC is meant to test effectiveness of these mitigations, either the
original LFENCE or the dependent instruction thing, but you have to
enable one or the other.
Hello Peter,
thanks for your answer! I appreciate it!
On 06/04/2018 at 10:15 AM Peter Zijlstra wrote:
> On Fri, Jun 01, 2018 at 02:19:38PM +0200, Andreas Hartmann wrote:
>
>> I tested the spectre mitigation of different machines and kernels with
>> https://github.com/crozone/SpectrePoC
>>
>> You can see the results below.
>
>> My question: Did I miss something?
>
> Yes.
>
>> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
>> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
>> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
>
> ^^^^^^^^ ^^^^^^^^
>
> The POC is a v1 on itself. V1 needs to be fixed for every individual
> executable (worse, for every individual location in the code, and we're
> still finding them). The kernel mitigation status for v1 only indicates
> the kernel itself has mitigations (for some locations).
>
> The POC is meant to test effectiveness of these mitigations, either the
> original LFENCE or the dependent instruction thing, but you have to
> enable one or the other.
Ok, this means every program running on the machine has to care itself
to be spectre v1 - safe.
A malicious program most probably won't care about that. Therefore, my
next question is: which memory regions can be exploited by a malicious
program? The complete physical memory or only the memory provided to the
malicious program? Should be the latter if this approach should have any
impact.
Thanks,
Andreas
On Mon, Jun 04, 2018 at 10:50:07AM +0200, Andreas Hartmann wrote:
> Ok, this means every program running on the machine has to care itself
> to be spectre v1 - safe.
Correct. Compiler and static analyser teams are looking hard at this to
help.
> A malicious program most probably won't care about that. Therefore, my
> next question is: which memory regions can be exploited by a malicious
> program? The complete physical memory or only the memory provided to the
> malicious program? Should be the latter if this approach should have any
> impact.
It affects the virtual memory of the target process.
On Mon, Jun 04, 2018 at 10:50:07AM +0200, Andreas Hartmann wrote:
> Hello Peter,
>
> thanks for your answer! I appreciate it!
>
> On 06/04/2018 at 10:15 AM Peter Zijlstra wrote:
> > On Fri, Jun 01, 2018 at 02:19:38PM +0200, Andreas Hartmann wrote:
> >
> >> I tested the spectre mitigation of different machines and kernels with
> >> https://github.com/crozone/SpectrePoC
> >>
> >> You can see the results below.
> >
> >> My question: Did I miss something?
> >
> > Yes.
> >
> >> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> >> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> >> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
> >
> > ^^^^^^^^ ^^^^^^^^
> >
> > The POC is a v1 on itself. V1 needs to be fixed for every individual
> > executable (worse, for every individual location in the code, and we're
> > still finding them). The kernel mitigation status for v1 only indicates
> > the kernel itself has mitigations (for some locations).
> >
> > The POC is meant to test effectiveness of these mitigations, either the
> > original LFENCE or the dependent instruction thing, but you have to
> > enable one or the other.
>
> Ok, this means every program running on the machine has to care itself
> to be spectre v1 - safe.
Correct. Primiarily this matters for things like JITs, where untrusted code may
be run in the same address space as sensitive data.
> A malicious program most probably won't care about that. Therefore, my
> next question is: which memory regions can be exploited by a malicious
> program? The complete physical memory or only the memory provided to the
> malicious program? Should be the latter if this approach should have any
> impact.
Assuming you have a CPU which is not vulnerable to meltdown / variant-3, or you
have mitigated this, (e.g. with KPTI), a malicious program can only access data
within its own address space.
Spectre variant-1 alone only gives access to memory in the address space of the
program itself.
Thanks,
Mark.
Hello Mark,
On 06/04/2018 at 11:19 AM Mark Rutland wrote:
> On Mon, Jun 04, 2018 at 10:50:07AM +0200, Andreas Hartmann wrote:
>> Hello Peter,
>>
>> thanks for your answer! I appreciate it!
>>
>> On 06/04/2018 at 10:15 AM Peter Zijlstra wrote:
>>> On Fri, Jun 01, 2018 at 02:19:38PM +0200, Andreas Hartmann wrote:
>>>
>>>> I tested the spectre mitigation of different machines and kernels with
>>>> https://github.com/crozone/SpectrePoC
>>>>
>>>> You can see the results below.
>>>
>>>> My question: Did I miss something?
>>>
>>> Yes.
>>>
>>>> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
>>>> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
>>>> Build: ... INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
>>>
>>> ^^^^^^^^ ^^^^^^^^
>>>
>>> The POC is a v1 on itself. V1 needs to be fixed for every individual
>>> executable (worse, for every individual location in the code, and we're
>>> still finding them). The kernel mitigation status for v1 only indicates
>>> the kernel itself has mitigations (for some locations).
>>>
>>> The POC is meant to test effectiveness of these mitigations, either the
>>> original LFENCE or the dependent instruction thing, but you have to
>>> enable one or the other.
>>
>> Ok, this means every program running on the machine has to care itself
>> to be spectre v1 - safe.
>
> Correct. Primiarily this matters for things like JITs, where untrusted code may
> be run in the same address space as sensitive data.
>
>> A malicious program most probably won't care about that. Therefore, my
>> next question is: which memory regions can be exploited by a malicious
>> program? The complete physical memory or only the memory provided to the
>> malicious program? Should be the latter if this approach should have any
>> impact.
>
> Assuming you have a CPU which is not vulnerable to meltdown / variant-3, or you
> have mitigated this, (e.g. with KPTI), a malicious program can only access data
> within its own address space.
>
> Spectre variant-1 alone only gives access to memory in the address space of the
> program itself.
Thanks Mark! Now I've a better understanding about the effects the
different vulnerabilities around Spectre and Meltdown do have and I'm
now hopefully able to better estimate them.
As I'm mostly using AMD-CPUs (like Ryzen 1 e.g.) for virtualization, I
should be secure by default regarding unwanted global memory access from
the VM to the host memory, because the Ryzen 1 CPU is not affected by
Meltdown at all.
Regards,
Andreas
> A malicious program most probably won't care about that. Therefore, my
> next question is: which memory regions can be exploited by a malicious
> program? The complete physical memory or only the memory provided to the
> malicious program? Should be the latter if this approach should have any
> impact.
Spectre is not about memory regions. It's about speculative execution
leaving measurable footprints. What footprints you leave depend upon what
code you are executing. Thus the question becomes 'what can the target
access'.
In order to attack something you need both a way to influence the code
concerned and a way to measure it. In addition it needs to have some
secret you want.
In practice that usually means something on the same system with its own
memory space/privilege level. The usual cases then are user<->kernel and
managed application<->runtime.
Thus it's very different to meltdown style attacks.
If you are actually worried about this you should probably also read up
on more general cache prime/probe attacks and cache profiling (things
like the ARMageddon paper are worth reading - and while it was done on
ARM much of it is generic to most modern processors), as well as timing
attacks.
Alan
On Mon, 4 Jun 2018, Andreas Hartmann wrote:
> Sorry for a ping - but I think the behavior shown below should really be
> investigated!
There is not much to investigate ...
> > I tested the spectre mitigation of different machines and kernels with
> > https://github.com/crozone/SpectrePoC
> >
> > You can see the results below.
> > My question: Did I miss something?
Yes.
> > My expectation was, that on base of the output of
> > /sys/devices/system/cpu/vulnerabilities/spectre_v* as shown below the
> > problem should be gone away.
> > But the results seem to tell me something other ... .
> > CPU: AMD Ryzen 7 1700X Eight-Core Processor
> > Bios: BIOS 4011 04/19/2018 - ibpb is listed in /proc/cpuinfo
> > Kernel: 4.14.44-1.1-default
> > cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
> > Mitigation: Full AMD retpoline, IBPB
> > cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
> > Mitigation: __user pointer sanitization
Looks correct, but irrelevant.
> >
> > ./spectre.out
> > Using a cache hit threshold of 80.
> > Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED
This is the info you missed:
> > INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
The whole POC is sniffing on itself and it allows you to compile with
different mitigation enabled or disabled. You disabled both. So it's
expected to succeed.
It does not matter at all which mitigations the kernel has enabled because
they do not affect the user space programm attacking itself. It's just a
demonstrator of the attack technology along with options to demonstrate the
effectiveness of mitigation strategies.
Thanks,
tglx
On 06/04/2018 at 04:12 PM Alan Cox wrote:
>> A malicious program most probably won't care about that. Therefore, my
>> next question is: which memory regions can be exploited by a malicious
>> program? The complete physical memory or only the memory provided to the
>> malicious program? Should be the latter if this approach should have any
>> impact.
>
> Spectre is not about memory regions. It's about speculative execution
> leaving measurable footprints. What footprints you leave depend upon what
> code you are executing. Thus the question becomes 'what can the target
> access'.
>
> In order to attack something you need both a way to influence the code
> concerned and a way to measure it. In addition it needs to have some
> secret you want.
>
> In practice that usually means something on the same system with its own
> memory space/privilege level. The usual cases then are user<->kernel and
> managed application<->runtime.
Would this be a practical test case: Gather keys and passwords used by a
ssh login by running a malicious program in parallel to sshd as another
ordinary user w/o root access.
Thanks,
Andreas